Re: update to NFS V[23] security draft

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Damon Atkins (Damon.Atkins@nabaus.com.au)
Date: 01/10/99-09:19:04 PM Z

Next message: Mike Eisler: "Re: update to NFS V[23] security draft"
Previous message: Brent Callaghan: "Re: update to NFS V[23] security draft"
In reply to: Mike Eisler: "Re: update to NFS V[23] security draft"
Next in thread: Mike Eisler: "Re: update to NFS V[23] security draft"
Reply: Mike Eisler: "Re: update to NFS V[23] security draft"

Message-ID: <36996DA8.DD5A9C6C@nabaus.com.au>
Date: Mon, 11 Jan 1999 14:19:04 +1100
From: Damon Atkins <Damon.Atkins@nabaus.com.au>
Subject: Re: update to NFS V[23] security draft

Mike Eisler wrote:

>   The Security Draft looks like it does not support multiple
>   authrntication from a single client.
>
>   For example:
>
>     For example, James on his NC has mounted hades:/export/home/james.
>     Ben wish to give James a file so he hopes on James computer and
>     mount hades:/export/home/ben it fails as James does not have access,
>     and hence the NC prompts the user for a username and password.
>     Ben successfully logs on and copies the file to james account, and
>     unmounts his home account.
>
>   Damon.
>
>
> I've implemented the draft, albeit not on an NC, but it supports
> multiple authentication systems from a client. NFS clients have
> been doing this ever since the advent of AUTH_DES over ten years ago.

In the para above you have said "multiple authentication systems", I am
talk about single UDP/TCP connection to a server supporting two
or more users from a single client, not from a trusted client.

eg mount D: /export/home/james userid=james password=xyz
   mount  E: /export/home/bin userid=ben password=qwerty
  copy D:/filename E;/filename
  logout userid=ben (ie every thing to do with ben
         is no loger vaild, access to drive E: will fail.)

ie Individual authentication and Individual logout from a
untrused NFS client (ie you do not want to use AUTH_SYS).

We should be able to write a ftp like client using the NFS protocol.

We will need this sort of authentication for proxying.

eg
  connect , NFS Client (host hades user ben)-> NFS proxy -> NFS server mensa
auth needed for ben, NFS CLient <- NFS proxy <- NFS server mensa
Also at the same time
   connect, NFS Client (host hades user jim) -> NFS proxy -> NFS server mensa
    etc
   connect NFS Clinet (host hades user jim) -> NFS proxy -> NFS server rana

Note: mensa, rana, hades are all owned by different companies and do not
share any password information, and UDP and TCP are both being used for the
connections.

Two solve this ??? we need to have multiple authentication handles per client.
ie open(AuthHande,filename,etc)
   delete(AuthHandle,filename)
   aclmod(AuthHandle,filename,acl)

For example the AuthHandle could be a certificate.

If GSS-API does accomplish the above will this work through a proxy server ?
(proxy server must be able to pass on authentication information)

application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature

Next message: Mike Eisler: "Re: update to NFS V[23] security draft"
Previous message: Brent Callaghan: "Re: update to NFS V[23] security draft"
In reply to: Mike Eisler: "Re: update to NFS V[23] security draft"
Next in thread: Mike Eisler: "Re: update to NFS V[23] security draft"
Reply: Mike Eisler: "Re: update to NFS V[23] security draft"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

This archive was generated by hypermail 2.1.2 : 03/04/05-01:46:37 AM Z CST